United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 

Address: COMMISSIONER FOR PATENTS 
P.O. Box L450 

Alexandria, Virginia 223 13-1450 
www.uspto.gov 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. 



CONFIRMATION NO. 



10/600,113 



22879 



06/20/2003 



Amit Raikar 



7590 



11/03/2006 



HEWLETT PACKARD COMPANY 
P O BOX 272400, 3404 E. HARMONY ROAD 
INTELLECTUAL PROPERTY ADMINISTRATION 
FORT COLLINS, CO 80527-2400 



200309309-1 



7736 



EXAMINER 



CERVETTI, DAVID GARCIA 



ART UNIT 



PAPER NUMBER 



2136 

DATE MAILED: 1 1/03/2006 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



W//ff(*t7 /nwlfi/ff xjUfill Hat y 


Application No. 

♦10/600,113 


Applicant(s) 
RAIKARETAL 


Examiner 

David G. Cervetti 


Art Unit 

2136 





-- The MAILING DA TE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 

1. Claims 1-20 are pending and have been examined. 

Information Disclosure Statement 

2. It is noted that no Information Disclosure has been filed in this application, even 
though the Background section of the Specification discloses multiple vendors provide 
intrusion detection systems with some of the features claimed (i.e. issuing alerts - 
claims 2 and 5 - and providing responses to the detected intrusion - claims 1, 3, and 
others). An IDS stating the prior art Applicant is aware of is respectfully requested. 

Drawings 

3. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) 
because they do not include the following reference sign(s) mentioned in the 
description: 142, 143. Corrected drawing sheets in compliance with 37 CFR 1.121(d) 
are required in reply to the Office action to avoid abandonment of the application. Any 
amended replacement drawing sheet should include all of the figures appearing on the 
immediate prior version of the sheet, even if only one figure is being amended. Each 
drawing sheet submitted after the filing date of an application must be labeled in the top 
margin as either "Replacement Sheet" or "New Sheet" pursuant to 37 CFR 1.121(d). If 
the changes are not accepted by the examiner, the applicant will be notified and 
informed of any required corrective action in the next Office action. The objection to the 
drawings will not be held in abeyance. 

4. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(4) 
because: reference character "150" has been used to designate both utility controller 
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database and equipment rack; reference character "357" has been used to designate 
both communication bus and communication port. Corrected drawing sheets in 
compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid 
abandonment of the application. Any amended replacement drawing sheet should 
include all of the figures appearing on the immediate prior version of the sheet, even if 
only one figure is being amended. Each drawing sheet submitted after the filing date of 
an application must be labeled in the top margin as either "Replacement Sheet" or "New 
Sheet" pursuant to 37 CFR 1 .121(d). If the changes are not accepted by the examiner, 
the applicant will be notified and informed of any required corrective action in the next 
Office action. The objection to the drawings will not be held in abeyance. 
5. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(4) 
because: reference characters "172" and "173" have both been used to designate 
network application management platform (pages 13-14); reference characters "300" 
and "350" have both been used to designate computer system (page 22). Corrected 
drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office 
action to avoid abandonment of the application. Any amended replacement drawing 
sheet should include all of the figures appearing on the immediate prior version of the 
sheet, even if only one figure is being amended. Each drawing sheet submitted after the 
filing date of an application must be labeled in the top margin as either "Replacement 
Sheet" or "New Sheet" pursuant to 37 CFR 1.121(d). If the changes are not accepted by 
the examiner, the applicant will be notified and informed of any required corrective 
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action in the next Office action. The objection to the drawings will not be held in 
abeyance. 

6. It is respectfully noted that this is not a complete list of informalities 
regarding the drawings. Appropriate correction is required. 

Specification 

7. The disclosure is objected to because of the following informalities: "VGA" (page 
9), "SNMP", "API" (page 16), "GUI", "DNS", "IP" (page 18), "NNM" (page 21). These 
terms have not been defined. Appropriate correction is required. 

Double Patenting 

8. Claims 1-20 are provisionally rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over claims 1-27 of 
copending Application No. 10/627,374. Although the conflicting claims are not identical, 
they are not patentably distinct from each other because the subject matter claimed in 
the instant application is fully disclosed in the referenced copending application. 

9. This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

10. The subject matter claimed in the instant application is fully disclosed in the 
referenced copending application and would be covered by any patent granted on that 
copending application since the referenced copending application and the instant 
application are claiming common subject matter, as follows: 

the instant application discloses an integrated intrusion detection method 
comprising: gathering information from a plurality of different types of 
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intrusion detection sensors; processing said information, wherein said 
processing provides a consolidated correlation of said information; 
assigning a response corresponding to said information; and 
implementing said response; 

the copending application discloses a method for configuring an intrusion 
detection system in a network, comprising: determining a location for a 
deployed intrusion detection sensor of said intrusion detection system 
wherein said sensor in enabled to monitor communication in a portion of 
said network; deploying said intrusion detection sensor in said location in 
said network; tuning said intrusion detection sensor to an appropriate 
level of awareness of content in said communication in said network; 
prioritizing responses generated by said intrusion detection sensor to 
achieve an appropriate response to a detected intrusion in said network; 
and configuring intrusion response mechanisms in said network to 
achieve an appropriate response by said mechanisms. 

1 1 . Claims 1-20 of the instant application are envisioned by copending Application 
No. 10/627,374's claims 1-27 in that claims 1-27 of the copending application contain all 
the limitations of claims 1-20 of the instant application. Claims 1-20 of the instant 
application therefore are not patently distinct from the copending application claims and 
as such are unpatentable for obvious-type double patenting. 

12. Claims 1-20 are provisionally rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over claims 1-19 of Patent 
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7,007,301. Although the conflicting claims are not identical, they are not patentably 
distinct from each other because the subject matter claimed in the instant application is 
fully disclosed in the referenced patent. 

13. This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

14. The subject matter claimed in the instant application is fully disclosed in the 
referenced patent and is covered by the patent granted since the referenced patent and 
the instant application are claiming common subject matter, as follows: 

the instant application discloses an integrated intrusion detection method 
comprising: gathering information from a plurality of different types of 
intrusion detection sensors; processing said information, wherein said 
processing provides a consolidated correlation of said information; 
assigning a response corresponding to said information; and 
implementing said response; 

the patent discloses a computer architecture for an intrusion detection 
system, comprising: a control agent to interface with a management 
system and to monitor system activity; at least one data gathering 
component which gathers kernel audit data and syslog data; at least one 
correlator to interpret and analyzes the kernel audit data and the syslog 
data using at least one detection template, wherein said at least one 
correlator uses an event driven correlation using an Event Correlation 
Services (ECS) engine core, wherein said at least one detection template 
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is selected from the group including: a modification of files/directories 
template; a chance to log files template; a SetUID files template; a 
creation of world-writables template; a repeated failed logins template; a 
repeated failed SU commands template; a race conditions attack 
template; a buffer overflow attacks template; a modification of another 
user's file template; a monitor for the start of interactive sessions 
template; and a monitor logins/logouts template.. 

15. Claims 1-20 of the instant application are envisioned by Patent 7,007,301 's 
claims 1-19 in that claims 1-19 of the patent contain all the limitations of claims 1-20 of 
the instant application. Claims 1-20 of the instant application therefore are not patently 
distinct from the patent claims and as such are unpatentable for obvious-type double 
patenting. 

Claim Rejections - 35 USC § 112 

16. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

17. Claim 10 is rejected under 35 U.S.C. 112, first paragraph, as failing to comply 
with the written description requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to reasonably convey to one 
skilled in the relevant art that the inventor(s), at the time the application was filed, had 
possession of the claimed invention. There are only two mentions of a "hook" in the 
specification without a clear explanation of what it is or what purpose it serves. 
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18. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

19. Claims 7-8 and 10 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

20. The term "appropriate response/hooks" in these claims is a relative term which 
renders the claims indefinite. The term "appropriate" is not defined by the claim, the 
specification does not provide a standard for ascertaining the requisite degree, and one 
of ordinary skill in the art would not be reasonably apprised of the scope of the 
invention. 

21. Claim 7 recites the limitation "said detection sensors". There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 102 

22. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

23. Claims 1-20 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Desai et al. (US Patent Application Publication 2003/0188189, hereinafter Desai). 
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Regarding claim 1, Desai teaches an integrated intrusion detection method 
comprising (paragraphs 34-39): 

gathering information from a plurality of different types of intrusion 
detection sensors (paragraphs 44-49); 
processing said information, wherein said processing provides a 
consolidated correlation of said information (paragraphs 46-54); 
assigning a response corresponding to said information (paragraphs 52- 
55); and 

implementing said response (paragraphs 63-76). 
Regarding claim 8, Desai teaches a computer usable storage medium having 
computer readable program code embodied therein for causing a computer system to 
implement intrusion detection instructions comprising (paragraphs 34-39): 

a data collection module for receiving information from a plurality of 
different types of security examination components, wherein said 
information indicates potential security issues (paragraphs 44-49); 
an integration module for integrating said information in a network 
application management platform (paragraphs 46-54); 
a reaction determination module for determining appropriate response to 
indication of said potential security issues (paragraphs 52-55); and 
a reaction direction module for directing said response (paragraphs 63- 
76). 
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Regarding claim 17, Desai teaches an intrusion detection central system 
comprising (paragraphs 34-39): 

a bus for communicating information (paragraphs 44-49); 
a processor coupled to said bus, said processor for processing said 
information including instructions for coordinating security information 
from a plurality of different security intrusion attempt identification 
components (paragraphs 46-54); and 

a memory coupled to said bus, said memory for storing said information, 
including instructions for coordinating security information from a plurality 
of different security intrusion attempt identification components 
(paragraphs 63-76). 
Regarding claims 2 and 9, Desai teaches wherein said information includes 
intrusion detection alerts (paragraphs 49-56). 

Regarding claim 3, Desai teaches centrally tracking information associated with 
intrusion detection alerts from said plurality of different types of intrusion detection 
sensors (paragraphs 45-52). 

Regarding claim 4, Desai teaches wherein said tracking information associated 
with intrusion detection includes assigning severity assignments standardized across 
said plurality of different types of intrusion detection sensors (paragraphs 51-56). 

Regarding claim 5, Desai teaches wherein said intrusion detection alerts are 
correlated based upon various alert attributes (paragraphs 45-53). 
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Regarding claim 6, Desai teaches wherein said response conforms to an 
enterprise wide strategy (paragraphs 56-62). 

Regarding claim 7, Desai teaches managing said detection sensors 
(paragraphs 41-46). 

Regarding claim 10, Desai teaches wherein said integration module selects 
appropriate hooks in an intrusion detection system (paragraphs 51-57). 

Regarding claim 11, Desai teaches wherein said data collection module logs 
alerts from said plurality of different types of security examination components 
(paragraphs 45-53). 

Regarding claim 12, Desai teaches wherein said alerts are provided by a simple 
network management protocol (SNMP), a system log and an application program 
interface (paragraphs 42-52). 

Regarding claim 13, Desai teaches wherein said integration module includes 
analyzing a plurality of manners in which an alert can be provided and selecting the 
manner that is the most secure with the least dependencies in a communication path 
(paragraphs 66-78). 

Regarding claim 14, Desai teaches wherein said integration module utilizes a 
network application management platform to log information (paragraphs 42-52). 

Regarding claim 15, Desai teaches wherein: an open view operation simple 
network management protocol trap is utilized to handle simple network management 
protocol trap based alerts; an open view operation log file encapsulator handles system 
log based alerts; and an open view message interceptor handles application program 
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interface propagated alerts with the help of an operation message mechanism 
(paragraphs 41-52). 

Regarding claim 16, Desai teaches wherein a secure open view template 
configuration is utilized to log information and the one message group is configured for 
handling intrusion detection system alerts and another message group is configured for 
handling intrusion detection system errors (paragraphs 45-52, 75-79). 

Regarding claim 18, Desai teaches wherein said instructions include security 
management instructions implemented on a network application management platform 
(paragraphs 64-79). 

Regarding claim 19, Desai teaches a central console for interfacing with said 
network application management platform (paragraphs 95-101). 

Regarding claim 20, Desai teaches wherein said instructions include incident 
reaction instructions (paragraphs 66-78). 

Conclusion 

24. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Hackenberger et al. (US Patent Application Publication 
2002/0184532) teaches multiple security modules providing alerts, Fischman et al (US 
Patent Application Publication 2003/0097588) teaches correlating security information 
from diverse sources for intrusion detection, Bruton, III et al. (US Patent Application 
Publication 2003/0145225) teaches a centralized intrusion detection system, Scheidell 
(US Patent Application Publication 2004/0098623) teaches an IDS gathering 
information from a plurality of different types of intrusion detection sensors; processing 
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said information, wherein said processing provides a consolidated correlation of said 
information; assigning a response corresponding to said information; and implementing 
said response. 

25. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David G. Cervetti whose telephone number is (571) 272- 
5861 . The examiner can normally be reached on Monday-Friday 7:00 am - 5:00 pm, off 
on Wednesday. 

26. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on (571) 272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

27. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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